Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Dataloss] Oldest Data Loss Incident - Contest Winners

From: lyger (lygerattrition.org)
Date: Sun May 31 2009 - 21:05:35 CDT


In early April, Open Security Foundation came up with an idea for a new
contest for DataLossDB. OSF had done something similar for our sister
project, the Open Source Vulnerability Database (OSVDB) a few years back:
an "oldest vulnerability contest"; this time, we decided to bring the same
type of contest to DataLossDB. We lined up some great sponsors, and held
high hopes that contestants would be reaching down into the 90's for data
loss incidents, striving to win one of the excellent prizes kindly donated
by our sponsors.


Multiple contestants submitted the "most misused social security number
of all time" story, regarding a wallet manufacturer who placed a social
security card "look-a-like" in wallets they sold which happened to contain
the Social Security number of a vice president's secretary, Mrs. Hilda
Schrader Whitcher. Reportedly, by 1943, thousands of people were using
her Social Security number as their own. A data loss incident, no doubt,
but number affected is less than 10, which unfortunately made it
ineligible for the competition and not a fit for the data set. There was
also a great submission regarding a card embosser who printed and used
3,000 fake Diner's Club cards. A great story of credit card fraud, but
not one that threatens identities, and thus not something we'd really
include in the data set. The numbers were fake, as were the names.

We had several other decent submissions that we couldn't accept as well,
such as a 1998 incident where CBS SportsLine exposed information regarding
thousands of March Madness contestants on their website, or the WRGT Fox
45 breach of 1999 where names, addresses, and email addresses were exposed
on their website in a text file. The information wouldn't qualify as PII
(most of the information would be considered "telephone book material"),
but it was interesting to see late 1990's security breaches.

All of the entries listed above were fascinating submissions in one way or
another, but didn't make the cut for inclusion in the database, and thus
didn't make the cut for winning prizes. Most entries DID, however, make
the cut... and without further ado...


Dataloss Mailing List (datalossdatalossdb.org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.